1

Wireshark Analysis

Your Name Here

University Name

Course Name & Number

Instructor

Due Date
 2

Introduction

Wireshark is an open-source packet analytics tool used for network analysis,

troubleshooting, software and communications protocol development, and for educational

purposes. For educational purposes, we use the tool to identify communication trends, possible

security threats, and network anomalies associated with the IP address 192.168.0.103. By

delving into various Wireshark functionalities, including conversation analysis, HTTPS and TCP

port analysis, and expert information examination, we provide information about the network

communications of a typical user and shed light the possible applications of Wireshark in

network analysis and troubleshooting.

Captured Activities

Conversations Analysis
 3

My IP address seems to be the address that appears most frequently in the “Address A”

column; that is 192.168.0.103. For internal access, my IP Address communicates with a gateway

router (192.168.0.1) for internet access. The interactions between my IP address and others

depend on the services and websites I was accessing during the capturing process.

There’s a significant traffic between 192.168.0.103 and 104.26.6.138, with my address

receiving 244 kB of data and sending 2 kB of data. The connection lasted about 49 seconds at an

average rate of 39 kbps from 104.26.6.138 to my address and 357 bits/s in the opposite direction.

My address exchanges a smaller amount of traffic with 185.157.213.253 (associated with

GhostSocks malware), with my address receiving only 1 kB and sending 624 bytes. The duration

is approximatel 41 seconds, with rates of 166 and 122 bits/s respectively. In the interaction
 4

between 192.168.0.103 and 35.174.127.31 (Amazon), my address sends 2 kB and receives 1 kB

in 48 seconds and data rates of 180 and 272 bits/s.

A larger amount of data is exchanged between 192.168.0.103 and 35.190.80.1, with my

address sending 8 kB and receiving 6 kB in 30 seconds. There’s minimal interaction with

35.227.232.140. 192.168.0.103 sends 55 bytes and receives 66 bytes in a very short span of 0.04

seconds. However, the data rates are significantly high at 10 kbps and 12 kbps. 192.168.0.103

sends 327 bytes to 38.244.132.66 (GhostSocks) and receives 378 bytes over approximately 31

seconds with data rates of 85 and 98 bits/s. The address sends 306 bytes to 52.207.122.56

(Quora.com) and receives 186 bytes in 31 seconds, with data rates of 78 and 47 bits/s.

192.168.0.103 sends 534 bytes to 57.144.139.32 (Facebook) and receives 558 bytes in 43

seconds with data rates of 98 and 103 bits/s. 192.168.0.103 sends 110 bytes to 64.233.167.188

(Google.com) and in return, receives 132 bytes over 45 seconds, with data rates of 19 and 23

bits/s. This address sends 55 bytes to an external server (103.165.192.202) and receives 66 bytes

over a very tiny duration of 0.2 seconds; but with very high data rates of 2188 and 2626 bits/s. It

also sends 55 bytes to Cloudflare, Inc. (104.16.117.55) and receives 66 bytes in just 0.0349

seconds, with high data rates of 12 and 15 kbps.

Additionally, my address interacts with multicast addresses. It sends 50 bytes to 224.0.0.1

multicast address – associated with all hosts on the subnet. The 224.0.0.22 multicast

address associated with Internet Group Management Protocol (IGMP) Version 3 receives 162

bytes from my IP address. 192.168.0.100 and 192.168.0.101 send data to 224.0.0.251.

Exploration of Additional Tabs

Another tab that captured my interest was the TCP tab.

Port A and B columns indicate the TCP port numbers used in the communication (Sharpe

et al., 2019). I noticed that my IP address utilizes various high-numbered ports – such as 62932,

62918, and 63081 –typical for client-side ephemeral ports (Gee, 2024). I also noticed that, most

of Address B entries utilize Port 443 which show secure HTTP (HTTPS). Therefore, I could be

rest assured that my IP address potentially initiates secure web connections to various servers.

The prevalence of HTTPS traffic is the norm as most most websited today use Port 443.

The various addresses under Address B are the various web services or servers my IP address is

interacting with. For instance, 52.207.122.56 is associated with Amazon Web Services servers

and 35.190.80.1 with the Google Cloud Platform. The presence of port 3323 alongside IP

address 185.81.157.19 is surprising because services associated with it are not know – in some

cases it’s associated with security risks and trojans. Just like with the Ipv4 tab, in the TCP tab,

Bytes A→B and Bytes B→A columns indicate the amount of data transferred in

both directions. This enables us to identify and compare the connections that

download huge amounts of data against those that just send data.
 6

The 104.26.6.138:443 ⇋ 192.168.0.103:62938 connection involves the sending of 244

kB of data from 104.26.6.138 (Cloudflare.inc) to 192.168.0.103 and a reverse connection

involving 2 kB. The duration of the connection was 49 seconds. Since the connection uses port

443, we conclude that Cloudflare.inc is a secure website or at least the API

request was safe. The 185.157.213.253:14371 ⇋ 192.168.0.103:62932

interaction involved 1 kB of data from the latter to the former and 624 bytes

in the reverse direction – a connection that lasted approximately 41 seconds. This

connection uses high-numbered ports. The 172.67.69.49:443 ⇋ 192.168.0.103:62900 connection

involves sending 55 bytes of data from my IP address to 172.67.69.49 and 66 bytes sent in the

opposite direction over 0.085 seconds. The presence of Port Port 443 indicates a HTTPS traffic,

possibly API request or a website.

Analysis of Abnormal Activities

There are multiple Domain Name System (DNS) queries for “x.com”. This is normal

because I was browsing the site at that time; however, the repeated queries may be an indication
 7

that something is frquently trying to resolve this request. The queries for “a.u10.twtrdns.net”

could not be understood. The frequent queries for “x.com” (lines 1, 2, 6, 7, 10, 11, 13, 14, and

15) are strange. Even though browsing the social media site would trigger these queries, the

repetitions and the fact that both A and HTTPS records are repeatedly queried could mean that

some application or script is consistently trying to resolve this domain. Therefore, it would be

better to find out which device on the network is making these requests. If it is found that the

determined device should not be accessing the website frequently, that’s a red flag.

While interaction with external IP addresses is normal, the exact external IP addresses

and ports should be clear. The traffic to 172.66.0.2... should be investigated by performing

reverse DNS lookups on them to find out the organizations or domain names associated with

them. This strategy can be used to determine whether the questionable IP addresses are

associated with security risks, trojans, and malicious activity. The IP addresses can also be

checked against intelligence databases such as AbuseIPDB and VirusTotal.

Port 443 is mostly associated with HTTPS traffic over TCP. According to Sophos (2022),

it is not normal to see UDP traffic on port 443. The presence of UDP traffic on the port could

mean that there is a wrongly-configured application or possibly a security breach attempt. The

traffic on Port 62105 also warrants investigation. Therefore, we should examine the contents of

the UDP packets to figure out the type of data being transmitted. The service or application

generating the UDP traffic needs to be investigated. The IP address 172.66.0.227

(Cloudflare.com) on is shared by several applications. Even though AbuseIPDB reports that the

address is from within its whitelist belonging to the subnet 172.64.0.0/13, identified as

“Cloudflare Reverse Proxy”, there have been reports of abusive activity such as phishing/spam
 8

landing pages and brute-force SSH attempts (Cloudflare, 2023). CheckPhish Scanner also

associates it with phishing.

Wireshark Expert Information Output

The “Ignored Unknown Record (Protocol: TLS, Count: 1)” warning means that the

Transport Layer Security (TLS) layer encountered a record type it did not acknowledge. A quick

search on Wireshark Q&A reveals that the problem could be a protocol mismatch, an abnormal

packet, or someone is trying to use non-standard protocol extension. This warning needs to be

investigated because it could suggest the presence of a security threat, a misconfiguration, or

someone is trying to take advantage of a loophole.

The DNS response missing (Protocol: mDNS, Count: 3) could mean that a multicast DNS

request was sent but it did not receive a reply. According to Oracle (2023), the mDNS protocol is

mainly used to deliver services on the local network such as on printer or device recovery. This

warning should be investigated because it could indicate a potential problem with the LAN, a

device in the local network is not responding well, or may be a device has exited the network.
 9

Wireless Q&A (2025) states that the warnings, “Previous segment(s) not captured (common at

capture start)” and “ACKed segment that wasn't captured (common at capture start)” is a

common warning when the capture begins in the midst of a TCP connection. Wireshark did not

see send acknowledgement for data it did not see. The warning does not warrant an investigation

because this is usually not harmful, especially when it occurs at the beginning of the capture.

The warning “DNS response retransmission (Protocol: mDNS, Count: 11)” means that

there was a DNS retransmission; this could mean that the initial response may have been lost or

the client did not receive it. Even though Wireless Q&A (2025) says that it is normal to get

occasional retransmissions; however, if the retransmissions are frequent, they could suggest a

problem with the DNS server or network congestion.

Conclusion

Initially, I thought that matters of network analysis and security involve expensive

software till I got entangled with Wireshark. The application is extremely versatile in network

analysis and enables you to capture and explore network traffic in real-time. The product enabled

me to analyze individual packets and understand the communication protocols involved and

determine whether some IP addresses are associated with security threats. You can find out is a

connection is a security threat by performing a reverse DNS lookup or use threat intelligence

databases. I was able to filter traffic according to network addresses, protocols, and ports to

determine where there are anomalies. The expert information output highlights abnormalities and

questionable network behaviors detected in network traffic, enabling analysis and

troubleshooting. Therefore, Wireshark is a great tool for network admins and security

professionals.
 10

References

Cloudflare. (2023, November 30). SSH bruteforce attempts from behind CF IP’s. Cloudflare

Community. https://community.cloudflare.com/t/ssh-bruteforce-attempts-from-behind-cf-

ips/331580

Gee, T. (2024, June 17). Ephemeral vs. Non-Ephemeral Ports. Technology Gee.

https://www.technologygee.com/ephemeral-vs-non-ephemeral-ports/

Oracle. (2023). Multicast DNS and Service Discovery (System Administration Guide: Naming

and Directory Services (DNS, NIS, and LDAP)). Docs.oracle.com.

https://docs.oracle.com/cd/E19120-01/open.solaris/819-3194/dnsref-28/index.html

Sharpe, R., Warnicke, E., & Lamping, U. (2019). Wireshark User’s Guide. Wireshark.org.

https://www.wireshark.org/docs/wsug_html/

Sophos. (2022, November 8). QUIC: https on udp - Web Protection: Web Filtering &

Application Visibility/Control - UTM Firewall - Sophos Community - Connect, Learn,

and Stay Secure. Sophos.com. https://community.sophos.com/utm-firewall/f/web-

protection-web-filtering-application-visibility-control/116500/quic-https-on-udp

Wireshark Q&A. (2025). Wireshark Q&A. Wireshark.org.

https://osqa-ask.wireshark.org/questions/703/ssl-and-tls-ignored-unknown-record/